How Failing to Protect Your Physical Data Can Provide Rich Pickings For All Sorts of Criminals

In our highly connected world technology and security threats have advanced quickly, meaning many organisations face the risk of having their company data and personal information being compromised. This data can easily end up in the hands of criminal groups who either use it for their own nefarious purposes or sell it on to fund their criminal activities using a network of shady intermediaries and anonymous websites. Once your information is out there, there is no telling in whose hands it might end up.

We spoke to Mr Yaniv Peretz from Certified Counter Terrorism Practitioner (CCTP), a credential programme, which provides practical knowledge and expertise in terrorism prevention. He shared valuable insights into the links between criminal groups, who are increasingly taking a ‘low-tech’ approach to obtain information, often to fund extremist causes, and how physical data can be just as valuable as digital data in the wrong hands.

Why do criminals want to obtain physical data?

Criminals are looking to get their hands on any kind of data that is deemed confidential, such as documents containing personal or financial information for example. This is because this information is valuable and can be sold to other criminals or ransomed to the company it was stolen from, and because it gives them access to manipulate the data for other criminal activities including money laundering and identity theft.

Are there specific types of data and information that criminals look out for?

Criminals will always start by doing research into who they are targeting. Once they have established this, they will be able to determine which items of value they can gain access to through the person or organisation. For example, if they can gain access to the computer of an office assistant, they can work their way up to a senior executive who might have access to sensitive client or account information or by compromising cleaning crews they could get their hands on documents that the company is discarding.

Since organizations are getting better at protecting their digital data through encryption, passwords, firewalls and network monitoring, it is often easier for criminals to go after physical data such as paper documents containing confidential and/or personal information. It is also more difficult to trace the source of a leak with physical breaches, which opens the door to repeated abuse and exploitation of the same source and sometimes allows them to get away before a breach is detected.

How do criminals plan their attacks?

Criminal groups plan their attacks carefully. The first phase begins by identifying easy targets and any weak spots in an organization that can be exploited. This enables them to figure out where they can target to get the best results. Often this will take the form of exploiting human errorsuch as through a phishing attack, but it can also be as simple as looking at how and where paper documents are being disposed of. For example, confidential documents thrown into insecure recycling bins can easily be obtained by fraudsters. Once documents leave your possession, they are much harder to keep track of, which is perfect for criminals.

What should organizations and individuals do to protect their information and prevent criminals from accessing their physical data?

The only way to ensure that the confidential data from your organisation does not end up in the wrong hands, is by ensuring that robust information security management systems are in place to prevent unauthorised access to your data.

Simple steps are often the most effective, such as implementing a Shred-it All Policy and a Clean Desk Policy. Both systems ensure that documents are never unwittingly exposed to prying eyes and reduce the risk of information accidentally getting lost or stolen. Regular reviews of your processes and procedures and periodic audits of third parties for security weaknesses are also important.

Frequent employee training can help the entire workforce to remain vigilant to information security risks, and identify any unusual behaviour. For example, if they see a third-party vendor somewhere they shouldn’t be, or requests for payment from vendors coming from a different email address than normal. The best people to spot if anything is out of place are your own staff.

Disposing of sensitive information using a secure shredding process will help prevent it from ending up in the wrong hands. Crosscut shredding technology, which turns sensitive paperwork into confetti-sized pieces is recommended as strip-shredded documents can be scanned and reconstructed by computer software. This ensures that unwanted physical data cannot be reproduced or recreated. Partner with a secure document destruction company to ensure the ongoing protection on your information.

ABS CertifiedShred-it has been certified by the Association of Banks in Singapore (ABS) as an approved outsourced service provider. OSPAR (Outsourced Service Provider’s Audit Report) assesses control and governance, and standardises requirements and auditing processes for firms providing services to the financial industry, confirmed by an annual independent audit.

NAID MemberShred-it Singapore is a NAID Member, adhering to the stringent security practices and procedures established by the National Association for Information Destruction.